diff options
Diffstat (limited to 'README.md')
-rw-r--r-- | README.md | 155 |
1 files changed, 1 insertions, 154 deletions
@@ -96,157 +96,4 @@ Use this issue to request new profiles: [#1139](https://github.com/netblue30/fir | |||
96 | ````` | 96 | ````` |
97 | 97 | ||
98 | ````` | 98 | ````` |
99 | # Current development version: 0.9.51 | 99 | # Current development version: 0.9.53 |
100 | |||
101 | ## Whitelisting, globbing etc. | ||
102 | |||
103 | We deployed a whitelist for /var directory ("include /etc/firejail/whitelist-var-common.inc"). | ||
104 | It is currently done for 115 applications. | ||
105 | |||
106 | We added globbing support for --private-bin and whitelisting support for /etc and /usr/share. | ||
107 | |||
108 | --private-lib was enhanced to autodetect GTK2, GTK3 and Qt4 libraries. In the next release we do a test run with this option enabled | ||
109 | for the following applications: evince, galculator, gnome-calculator, | ||
110 | leafpad, mousepad, transmission-gtk, xcalc, xmr-stak-cpu, | ||
111 | atril, mate-color-select, tar, file, strings, gpicview, | ||
112 | eom, eog, gedit, pluma | ||
113 | |||
114 | Just for fun, this is a private-bin/private-lib Firefox running on Debian 9: | ||
115 | ````` | ||
116 | $ firejail --private-bin=firefox,firefox-esr,sh,which --private-lib=firefox-esr firefox | ||
117 | ````` | ||
118 | |||
119 | |||
120 | ## Profile build tool | ||
121 | ````` | ||
122 | $ firejail --build appname | ||
123 | $ firejail --build=appname.profile appname | ||
124 | ````` | ||
125 | The command builds a whitelisted profile. If /usr/bin/strace is installed on the system, it also | ||
126 | builds a whitelisted seccomp profile. The program is run in a very relaxed sandbox, | ||
127 | with only --caps.drop=all and --nonewprivs. Programs that raise user privileges are not supported | ||
128 | in order to allow strace to run. Chromium and Chromium-based browsers will not work. | ||
129 | |||
130 | Example: | ||
131 | ````` | ||
132 | $ firejail --build /usr/bin/vlc ~/Videos/test.mp4 | ||
133 | |||
134 | [...] | ||
135 | |||
136 | ############################################ | ||
137 | # /usr/bin/vlc profile | ||
138 | ############################################ | ||
139 | # Persistent global definitions | ||
140 | # include /etc/firejail/globals.local | ||
141 | |||
142 | ### basic blacklisting | ||
143 | include /etc/firejail/disable-common.inc | ||
144 | # include /etc/firejail/disable-devel.inc | ||
145 | include /etc/firejail/disable-passwdmgr.inc | ||
146 | # include /etc/firejail/disable-programs.inc | ||
147 | |||
148 | ### home directory whitelisting | ||
149 | whitelist ~/Videos | ||
150 | whitelist ~/.local/share/vlc | ||
151 | whitelist ~/.config/vlc | ||
152 | include /etc/firejail/whitelist-common.inc | ||
153 | |||
154 | ### filesystem | ||
155 | private-tmp | ||
156 | private-dev | ||
157 | private-etc vdpau_wrapper.cfg,udev,drirc,fonts,xdg,gtk-3.0,machine-id,selinux, | ||
158 | whitelist /var/lib/menu-xdg | ||
159 | # private-bin vlc, | ||
160 | |||
161 | ### security filters | ||
162 | caps.drop all | ||
163 | nonewprivs | ||
164 | seccomp | ||
165 | # seccomp.keep futex,poll,rt_sigtimedwait,ioctl,fdatasync,read,writev,sendmsg,sendto,write,recvmsg,mmap,mprotect,getpid,stat,clock_nanosleep,munmap,close,access,lseek,fcntl,open,fstat,lstat,brk,rt_sigaction,rt_sigprocmask,rt_sigreturn,madvise,shmget,shmat,shmctl,alarm,socket,connect,recvfrom,shutdown,getsockname,getpeername,setsockopt,getsockopt,clone,execve,uname,shmdt,flock,ftruncate,getdents,rename,mkdir,unlink,readlink,chmod,getrlimit,sysinfo,getuid,getgid,geteuid,getegid,getresuid,getresgid,statfs,fstatfs,prctl,arch_prctl,sched_getaffinity,set_tid_address,fadvise64,clock_getres,tgkill,set_robust_list,eventfd2,dup3,pipe2,getrandom,memfd_create | ||
166 | # 76 syscalls total | ||
167 | # Probably you will need to add more syscalls to seccomp.keep. Look for | ||
168 | # seccomp errors in /var/log/syslog or /var/log/audit/audit.log while | ||
169 | # running your sandbox. | ||
170 | |||
171 | ### network | ||
172 | protocol unix,netlink, | ||
173 | net none | ||
174 | |||
175 | ### environment | ||
176 | shell none | ||
177 | $ | ||
178 | ````` | ||
179 | |||
180 | ## New command line and profile options | ||
181 | ````` | ||
182 | --writable-run-user | ||
183 | This options disables the default blacklisting of | ||
184 | run/user/$UID/systemd and /run/user/$UID/gnupg. | ||
185 | |||
186 | Example: | ||
187 | $ sudo firejail --writable-run-user | ||
188 | |||
189 | --rlimit-as=number | ||
190 | Set the maximum size of the process's virtual memory (address | ||
191 | space) in bytes. | ||
192 | |||
193 | --rlimit-cpu=number | ||
194 | Set the maximum limit, in seconds, for the amount of CPU time | ||
195 | each sandboxed process can consume. When the limit is reached, | ||
196 | the processes are killed. | ||
197 | |||
198 | The CPU limit is a limit on CPU seconds rather than elapsed | ||
199 | time. CPU seconds is basically how many seconds the CPU has | ||
200 | been in use and does not necessarily directly relate to the | ||
201 | elapsed time. Linux kernel keeps track of CPU seconds for each | ||
202 | process independently. | ||
203 | |||
204 | --timeout=hh:mm:ss | ||
205 | Kill the sandbox automatically after the time has elapsed. The | ||
206 | time is specified in hours/minutes/seconds format. | ||
207 | |||
208 | $ firejail --timeout=01:30:00 firefox | ||
209 | |||
210 | --debug-private-lib | ||
211 | Debug messages for --private-lib option. | ||
212 | |||
213 | --netfilter=filename,arg1,arg2,arg3 ... | ||
214 | This is the template version of the previous command. $ARG1, | ||
215 | $ARG2, $ARG3 ... in the firewall script are replaced with arg1, | ||
216 | arg2, arg3 ... passed on the command line. Up to 16 arguments | ||
217 | are supported. Example: | ||
218 | |||
219 | $ firejail --net=eth0 --ip=192.168.1.105 \ | ||
220 | --netfilter=/etc/firejail/tcpserver.net,5001 server-program | ||
221 | |||
222 | --netfilter.print=name|pid | ||
223 | Print the firewall installed in the sandbox specified by name | ||
224 | or PID. Example: | ||
225 | |||
226 | $ firejail --name=browser --net=eth0 --netfilter firefox & | ||
227 | $ firejail --netfilter.print=browser | ||
228 | |||
229 | --netfilter6.print=name|pid | ||
230 | Print the IPv6 firewall installed in the sandbox specified by | ||
231 | name or PID. Example: | ||
232 | |||
233 | $ firejail --name=browser --net=eth0 --netfilter firefox & | ||
234 | $ firejail --netfilter6.print=browser | ||
235 | |||
236 | ````` | ||
237 | |||
238 | ## New profiles: | ||
239 | |||
240 | terasology, surf, rocketchat, clamscan, clamdscan, clamdtop, freshclam, xmr-stak-cpu, | ||
241 | amule, ardour4, ardour5, brackets, calligra, calligraauthor, calligraconverter, | ||
242 | calligraflow, calligraplan, calligraplanwork, calligrasheets, calligrastage, | ||
243 | calligrawords, cin, dooble, dooble-qt4, fetchmail, freecad, freecadcmd, google-earth, | ||
244 | imagej, karbon, kdenlive, krita, linphone, lmms, macrofusion, mpd, natron, Natron, | ||
245 | ricochet, shotcut, teamspeak3, tor, tor-browser-en, Viber, x-terminal-emulator, zart, | ||
246 | conky, arch-audit, ffmpeg, bluefish, cliqz, cinelerra, openshot-qt, pinta, uefitool, | ||
247 | aosp, pdfmod, gnome-ring, signal-desktop, xcalc, zaproxy, kopete, kget, nheko, Enpass, | ||
248 | kwin_x11, krunner, ping, bsdtar, makepkg (Arch), archaudit-report, cower (Arch), | ||
249 | kdeinit4 | ||
250 | |||
251 | Upstreamed many profiles from the following sources: https://github.com/chiraag-nataraj/firejail-profiles, | ||
252 | https://github.com/nyancat18/fe, and https://aur.archlinux.org/packages/firejail-profiles. | ||